Sneaker's Stub – The Grey Stuff!

OVERTHEWIRE NATAS SERIES: LEVEL 12 – 14

This write-up is the walkthrough for OVERTHEWIRE NATAS level 12 to level 14. Both these levels contain upload the image kind of challenges where we have to upload a shell bypassing the code.

LEVEL 12 – 13:

The above image is the screen for overthewore natas challenge 12, When you click on “View sourcecode”, this is what you will find:

The marked number 1 is the php function that checks the size of the file, This file that we upload is renamed using a random function which is written above and the random path is also formed with path “/uploads/”. If you see closely, the number 2 code is the html form code and it takes 2 hidden values, the size and the random name created by php genRandomString() function.

I started burp suite to change the values of the submitted form. In the highlighter strings below,I made the changes.

fi70lbrlhp.jpg was the random name the function generated. I changed the Extension to .php.
pic.php is the actually file, I uploaded which contains the highlighted php code above.

This is the php code used in pic.php file, the one I have uploaded:

<?php echo passthru('cat /etc/natas_webpass/natas13'); ?>

Forward the request.

Click on the generated link above and the password for level 13 will be echoed.

LEVEL 13-14:

The level is very much similar to level 12, The only difference is that the security is bit high. The file content is checked if it is a image file or not. If you click the view sourcecode button, you will see the code is very similar to level 12 but the only added line is exif_imagetype function, which checks the type of file.

This time, I uploaded an actual image file.
Burpsuite intercept the request:

I changed the number 1 from jpg to php and at number 2, with the content of the image itself, I added a small php code: